如何禁用 Kubernetes 的 Istio sidecar 注入
JobapiVersion: batch/v1beta1
kind: CronJob
metadata:
name: pod-restart
spec:
concurrencyPolicy: Forbid
schedule: '0 8 * * *'
jobTemplate:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
backoffLimit: 2
activeDeadlineSeconds: 600
template:
spec:
serviceAccountName: pod-restart
restartPolicy: Never
containers:
- name: kubectl
image: bitnami/kubectl
command: ['kubectl', 'rollout', 'restart', 'deployment/myapp']
Sidecar 仍然会被注入。
注释位置错误。你必须把它放在 pod 模板上。
apiVersion: batch/v1beta1
kind: CronJob
metadata:
spec:
jobTemplate:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
有禁用 istio 注入的有效 CronJob 示例。
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo "Hello, World!"
restartPolicy: OnFailure
还有相关的github问题。
现在,根据文档,注释已被弃用 https://istio.io/latest/docs/reference/config/annotations/ 最好使用标签来代替:
apiVersion: batch/v1
kind: CronJob
metadata:
name: jobs-cleanup
spec:
schedule: "*/4 * * * *"
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
metadata:
labels:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: cleaner
containers:
- name: kubectl-container
image: bitnami/kubectl:latest
command: ["sh", "/tmp/clean.sh"]
volumeMounts:
- name: cleaner-script
mountPath: /tmp/
restartPolicy: Never
volumes:
- name: cleaner-script
configMap:
name: cleaner-script
如上所述,注释已被弃用,应该使用标签 https://istio.io/latest/docs/reference/config/annotations/#SidecarInject 有什么区别? - 如果我们查看 istiod 代码 https://github.com/istio/istio/blob/master/istioctl/pkg/injector/injector-list.go#L314 - 区别在于注释是由 istiod 计算的,而标签是在 k8s 级别评估的。 总之,如果您使用注释,并且 istiod pod 失败 - 您使用注释的 pod 也会失败(无法注入 Istio 代理),因为 MutatingWebhookConfiguration 仍会选择它们。如果您使用标签,MutatingWebhookConfiguration 将在 k8s 级别过滤这些 pod,并且根本不会调用 istiod 端点,并且您的标记 pod 将按预期工作。